Guests: Shawn Hooper
What he does: Shawn has worked as a computer programmer for most of his life, and is currently the Director of IT for Actionable Books — His job entails developing all of the internal tools for their staff. He is also a WordPress core contributor and teaches WordPress at Camp Tech.
Ponderance: How do SSL certificates and HTTPS help to secure websites?
Find him online: shawnhooper.ca
In today’s episode, Shawn joins Avery to talk about issues of HTTPS and SSL Certification. During this discussion, Shawn explains some of the technicalities of these things, and puts them in a practical framework that listeners can apply to their own websites.
"When you run your own website, SSL certificates/security issues become your responsibility" - Shawn Hooper
- Term Definitions: SSL and TLS
- Term Definitions: HTTPS
- URLs in specific Web Browsers
- Notices of Security
- Pros of switching websites to HTTPS
- How to Implement SSL and HTTPS to your website
- Purchasing an SSL Certificate
- Three types of certificates
- Price of certificates
- Resources for Obtaining Certificates
- Process of putting a SSL certificate on your website
- Mixed Content Warnings
[2:50] SSL stands for Secure Sockets Layer — this is actually an old protocol, and the new one is called Transport Layer Security, or TLS. SSL/TLS are cryptographic protocols that ensure that the data between your computer, and the computer that you’re getting data from, is encrypted for both sources.
[4:50] HTTPS is a secure version of the HTTP protocol. This protocol is the standard that defines how a web browser and a web server exchange data. This covers permissions to request a page, how the server responds to that request, and how it handles errors. It requires an additional layer of security, so it’s HTTP over SSL.
[6:30] In your web browser, when you look at the address bar, if it is secure you will see a little padlock. This means you are using https and the connection between you and the site is secure. The URL will also start with https, rather than http.
[7:55] Web browsers are starting to call the attention of website owners and the visitors to websites to being more aware of security and to enable https to the websites we visit. The “not secure notice” shows up on pages where there is a form that requires a password or perhaps credit card information that is not secured with HTTPS.
[10:05] Another type of warning could come on a page that is HTTPS, but isn’t fully secure. This is a sign of a broken implementation — it might be represented by a broken padlock or an i with a circle around it.
[11:54] In addition to security, the biggest benefit of switching to HTTPS and having a secure site will help increase the trust between your customers and you. If they trust you, they are more likely to interact with the site much more easily. In some cases, having a SSL/HTTPS encrypted website is a requirement. This is required if you accept credit card data. Google will also give a slight increase in ranking to sites that are HTTPS.
[14:05] To implement SSL/HTTPS, you need buy a certificate that will act as a “handshake” between your computer and the web server. This certificate identifies your server as being you, and allows your visitors’ browsers to recognize your website. There are three different types of certificates available: 1) domain-validated certificate, 2) organization-validated certificate, and 3) extended-validation certificate. From a technical standpoint from what they do, they all encrypt the same way. It is from a trust standpoint where they differ.
[18:23] In terms of cost, you could get a domain-validated certificate for free. An organization called Let’s Encrypt offers free SSL certificates. Many web-hosting companies are building Let’s Encrypt right into their web offerings. A certificate from Let’s Encrypt expires after 90 days, rather than a year like most other SSL certificates, but it can be auto-renewed. This option is a great solution for those who want a little boost of trust but don’t necessarily need the higher-end validation of who you are.
[20:48] If your web host doesn’t support Let’s Encrypt, you can get domain-validated certificates from a certificate authority for a couple of dollars a year. The other two types of certificates are more expensive.
[22:19] Some factors that might affect the cost of your certificates: A wildcard certificate will allow you to secure a domain name and all of its host names in a single certificate. There is usually a premium that may increase the price. Along with this, Shawn and Avery discuss the probability of websites not using the “www.” domains.
[25:20] As a non-technical person, should you reach out for technical help or can you do this? Shawn recommends contacting tech support for your web host or your web developer and see what the process is to determine what’s the best way to proceed.
[26:13] Shawn talks through the process of putting an SSL Certificate on your website. A CSR (certificate signing request) is created by the web server that identifies it as the web server. This is submitted to the certificate authority, and you get a certificate that matches the CSR. Then these have to be connected together.
[27:51] Once you set up the certificate, your website should be encrypted. To make sure, you can go to your HTTP website and see if it’s being redirected to the secure HTTPS version. You may have to change a setting to ensure your website is running the HTTPS. If you are still getting warnings, an element on the page may not be being transmitting using HTTPS. To be considered fully secure, each element must be changed to HTTPS. Shawn and Avery discuss some different situations of what could be causing mixed content warning.
[33:30] Practical tips: Get in touch with your hosting company and try and get them to put the SSL certificate on your website for you. If you still getting the mixed content warning, then you may need to bring in a web professional.
[36:14] It is important to make sure that we are doing as much as we possibly can to be secure on our computers and on our websites, and this level of encryption is just one extra step for your protection. It is much easier now than it was in the past.